Sun Java Web Console serialized object injection via JSF view state

Since it appears that there're no publicly disclosed details on Java serialization vulnerabilities triggered via JSF ViewState, I thought it would be a good idea to illustrate a bug I discovered in 2010. From slides 12 to 17, you can read more about this issue affecting Sun Java Web Console (which was the default web admin console for Solaris). I've also released an exploit (download here) that uses Hashtable collisions to trigger DoS. RCE is also possible via Apache Common Collections.

Interestingly enough, old versions of javax.faces.ViewState (client-side and with no signature) can be abused in multiple ways:

SerialKiller v0.4

I've released a new version of SerialKiller with new features and improvements:

Basic logging support, using Java's native logging

Profiling mode. While look-ahead whitelisting provides a robust protection to modern applications, it requires complete enumeration of all Java classes exchanged by the application. With this feature, it is possible to setup SK in "non-blocking" mode in order to enumerate all classes within client-server requests. A step-by-step tutorial on how to whitelist classes is available in the documentation page

Signatures parity with Ysoserial. I've created default blacklisting signatures for all exploits (as of 09/07) included in this popular payloads generator tool